Policy Question

  • Thread starter Thread starter compsosinc@gmail.com
  • Start date Start date
C

compsosinc@gmail.com

Guest
We know this is a bad setup but, if a Windows 2003 Domain Controller
is also a Terminal Server what is the recommended way to setup Group
Policy for Groups of users relative to the OU structure? We are more
familiar (but not experts) of setting up a TS when it is a member
server and you move it into its own OU. We have a mix of Thin-clients
and XP Pro workstations that will connect to the DC/TS.

So for example, we have the following types of users:

1. Remote users using Thin Clients -- located at another office who
need to login to the TS to use (3) applications and have their own
folders on the TS but restricted use otherwise. The Thin-clients have
no local printers. And based on the Thin-client OS we have to let them
use the Internet on the TS.

2. Remote users using XP Pro workstations - same as #1, need folders,
but do not need their local environment restricted. Should we just
join them to the domain through the VPN as if they were are the local
LAN??

3. Local LAN users -- currently using XP workstations. Usera are
currently setup in their own OUs (SalesOU, AcctOU, etc) for the
purpose of implementing Internet policy. Working well..


So, in this particular environment, is it best to just create separate
OUs for the (2) types of remote users and move the user accounts into
the respective OU(s) and create a GP linked to them? I do not think we
have a choice here...

Secondly, some of the remote users from #1, may login locally (Main
Office) to the Domain from an XP Workstation, not a thin-client. Could
we just setup separate user accounts (different login for local use vs
remote use)?

We are in the test lab now but trying to determine the best approach
since we generallly do not move user accounts into OUs. Sounds like we
need to also move the XP computers into the OUs as well?

Thanks
 
Re: Policy Question

There is no recommended way to use a DC as a Terminal Server for 2 main
reasons:
1.) Performance issues: e.g. the DC and TS will compete for memory
2.) Security reasons: interactive domain controller access should be limited
to only highly trusted users in the Administrator group.

--
Alice Kupcik
Program Manager - Microsoft
http://blogs.msdn.com/ts

This posting is provided "AS IS" with no warranties, and confers no rights.


<compsosinc@gmail.com> wrote in message
news:d2ac2782-0041-4d8a-bda3-c7a6d9811473@m23g2000hsc.googlegroups.com...
> We know this is a bad setup but, if a Windows 2003 Domain Controller
> is also a Terminal Server what is the recommended way to setup Group
> Policy for Groups of users relative to the OU structure? We are more
> familiar (but not experts) of setting up a TS when it is a member
> server and you move it into its own OU. We have a mix of Thin-clients
> and XP Pro workstations that will connect to the DC/TS.
>
> So for example, we have the following types of users:
>
> 1. Remote users using Thin Clients -- located at another office who
> need to login to the TS to use (3) applications and have their own
> folders on the TS but restricted use otherwise. The Thin-clients have
> no local printers. And based on the Thin-client OS we have to let them
> use the Internet on the TS.
>
> 2. Remote users using XP Pro workstations - same as #1, need folders,
> but do not need their local environment restricted. Should we just
> join them to the domain through the VPN as if they were are the local
> LAN??
>
> 3. Local LAN users -- currently using XP workstations. Usera are
> currently setup in their own OUs (SalesOU, AcctOU, etc) for the
> purpose of implementing Internet policy. Working well..
>
>
> So, in this particular environment, is it best to just create separate
> OUs for the (2) types of remote users and move the user accounts into
> the respective OU(s) and create a GP linked to them? I do not think we
> have a choice here...
>
> Secondly, some of the remote users from #1, may login locally (Main
> Office) to the Domain from an XP Workstation, not a thin-client. Could
> we just setup separate user accounts (different login for local use vs
> remote use)?
>
> We are in the test lab now but trying to determine the best approach
> since we generallly do not move user accounts into OUs. Sounds like we
> need to also move the XP computers into the OUs as well?
>
> Thanks
 
Re: Policy Question

On Feb 26, 7:45 pm, "Alice Kupcik [MSFT]"
<alice.kup...@online.microsoft.com> wrote:
> There is no recommended way to use a DC as a Terminal Server for 2 main
> reasons:
> 1.) Performance issues: e.g. the DC and TS will compete for memory
> 2.) Security reasons: interactive domain controller access should be limited
> to only highly trusted users in the Administrator group.
>
> --
> Alice Kupcik
> Program Manager - Microsofthttp://blogs.msdn.com/ts
>
> This posting is provided "AS IS" with no warranties, and confers no rights..
>
> <compsos...@gmail.com> wrote in message
>
> news:d2ac2782-0041-4d8a-bda3-c7a6d9811473@m23g2000hsc.googlegroups.com...
>
>
>
> > We know this is a bad setup but, if a Windows 2003 Domain Controller
> > is also a Terminal Server what is the recommended way to setup Group
> > Policy for Groups of users relative to the OU structure? We are more
> > familiar (but not experts) of setting up a TS when it is a member
> > server and you move it into its own OU. We have a mix of Thin-clients
> > and XP Pro workstations that will connect to the DC/TS.
>
> > So for example, we have the following types of users:
>
> > 1. Remote users using Thin Clients -- located at another office who
> > need to login to the TS to use (3) applications and have their own
> > folders on the TS but restricted use otherwise. The Thin-clients have
> > no local printers. And based on the Thin-client OS we have to let them
> > use the Internet on the TS.
>
> > 2. Remote users using XP Pro workstations - same as #1, need folders,
> > but do not need their local environment restricted. Should we just
> > join them to the domain through the VPN as if they were are the local
> > LAN??
>
> > 3. Local LAN users -- currently using XP workstations. Usera are
> > currently setup in their own OUs (SalesOU, AcctOU, etc) for the
> > purpose of implementing Internet policy. Working well..
>
> > So, in this particular environment, is it best to just create separate
> > OUs for the (2) types of remote users and move the user accounts into
> > the respective OU(s) and create a GP linked to them? I do not think we
> > have a choice here...
>
> > Secondly, some of the remote users from #1, may login locally (Main
> > Office) to the Domain from an XP Workstation, not a thin-client. Could
> > we just setup separate user accounts (different login for local use vs
> > remote use)?
>
> > We are in the test lab now but trying to determine the best approach
> > since we generallly do not move user accounts into OUs. Sounds like we
> > need to also move the XP computers into the OUs as well?
>
> > Thanks- Hide quoted text -
>
> - Show quoted text -

We know what you are saying, and maybe 'recommended' was the wrong
choice of words. However, can you comment on the OU structure in this
case? Thank you.
 
Re: Policy Question

I think that's a better question for the Active Directory/ Domain Controller
newsgroup than for TS:
http://www.microsoft.com/communitie...rosoft.public.windows.server.active_directory

Thx. Alice

--
Alice Kupcik
Program Manager - Microsoft
http://blogs.msdn.com/ts

This posting is provided "AS IS" with no warranties, and confers no rights.


<compsosinc@gmail.com> wrote in message
news:f5765cc9-99a7-498b-afb3-407048717097@28g2000hsw.googlegroups.com...
On Feb 26, 7:45 pm, "Alice Kupcik [MSFT]"
<alice.kup...@online.microsoft.com> wrote:
> There is no recommended way to use a DC as a Terminal Server for 2 main
> reasons:
> 1.) Performance issues: e.g. the DC and TS will compete for memory
> 2.) Security reasons: interactive domain controller access should be
> limited
> to only highly trusted users in the Administrator group.
>
> --
> Alice Kupcik
> Program Manager - Microsofthttp://blogs.msdn.com/ts
>
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
> <compsos...@gmail.com> wrote in message
>
> news:d2ac2782-0041-4d8a-bda3-c7a6d9811473@m23g2000hsc.googlegroups.com...
>
>
>
> > We know this is a bad setup but, if a Windows 2003 Domain Controller
> > is also a Terminal Server what is the recommended way to setup Group
> > Policy for Groups of users relative to the OU structure? We are more
> > familiar (but not experts) of setting up a TS when it is a member
> > server and you move it into its own OU. We have a mix of Thin-clients
> > and XP Pro workstations that will connect to the DC/TS.
>
> > So for example, we have the following types of users:
>
> > 1. Remote users using Thin Clients -- located at another office who
> > need to login to the TS to use (3) applications and have their own
> > folders on the TS but restricted use otherwise. The Thin-clients have
> > no local printers. And based on the Thin-client OS we have to let them
> > use the Internet on the TS.
>
> > 2. Remote users using XP Pro workstations - same as #1, need folders,
> > but do not need their local environment restricted. Should we just
> > join them to the domain through the VPN as if they were are the local
> > LAN??
>
> > 3. Local LAN users -- currently using XP workstations. Usera are
> > currently setup in their own OUs (SalesOU, AcctOU, etc) for the
> > purpose of implementing Internet policy. Working well..
>
> > So, in this particular environment, is it best to just create separate
> > OUs for the (2) types of remote users and move the user accounts into
> > the respective OU(s) and create a GP linked to them? I do not think we
> > have a choice here...
>
> > Secondly, some of the remote users from #1, may login locally (Main
> > Office) to the Domain from an XP Workstation, not a thin-client. Could
> > we just setup separate user accounts (different login for local use vs
> > remote use)?
>
> > We are in the test lab now but trying to determine the best approach
> > since we generallly do not move user accounts into OUs. Sounds like we
> > need to also move the XP computers into the OUs as well?
>
> > Thanks- Hide quoted text -
>
> - Show quoted text -

We know what you are saying, and maybe 'recommended' was the wrong
choice of words. However, can you comment on the OU structure in this
case? Thank you.
 
Back
Top